100 days of GDPR: What have we learnt?

In today’s fast paced world, the launch of GDPR seems like an age ago. The days leading up to 25th May 2018 were frantic for many businesses as they raced to implement the right controls to meet the compliance requirements.

While the guidelines were comprehensive, GDPR told companies what to do, but not how to do it. Demand for information on how to comply was so high that Google searches for GDPR outstripped Beyoncé 10-1 in the UK in May this year.

Now that the dust has settled, and companies have initiated their new processes, what have we learnt from the implementation of GDPR and how can businesses use compliance with GDPR to their advantage?

Lesson 1 – Interest in GDPR is still high

Consumers are more aware of their data rights and are willing to act. According to the UK’s Information Commissioner’s Office (ICO) there has been a sharp rise in the number of complaints to regulators across Europe.

Commercial law firm EMW recently reported that the ICO has received 6,281 complaints between 25 May and 3 July 2018 compared to 2,417 for the same period in 2017, a rise of 160%.

There has been both a rise in the number of breach notifications from organisations, as well as more data protection complaints following the new law. With the potential of fines of up to €20 million, businesses must take the new regulations seriously.

Lesson 2 – Ambiguity around GDPR has led to failure to comply

The lack of case law and therefore the ambiguity around GDPR means that how to comply has been left open to interpretation. This means that a huge proportion of businesses are still not yet complaint with the new regulations. In August, Gartner stated that 75% of companies are still not compliant with the new regulation. It’s not just the smaller companies with smaller budgets and resources who are not complying.

In June, the European University Institute conducted an experiment using artificial intelligence to evaluate the privacy policies of high profile websites including Facebook, Apple, Uber, Airbnb among others, to check whether they adhered to the new GDPR guidelines. Their findings were that none of the analysed privacy policies fully met the requirements. There could be many reasons for non-compliance when weighing up the risk of GDPR penalties, customer experience and efficiency measures. A lack of knowledge and understanding is another common reason for lack of compliance. Gaining as much information around GDPR when providing the controls to meet the requirements is an important lesson.

Lesson 3 – GDPR may be costing you money

In a bid to meet the GDPR deadline, lots of companies rushed through temporary and manual fixes to current processes to ensure compliance. The problem with this bolt on approach is that the new processes may be unnecessarily complex, unsustainable and expensive. Manual processes can be both prone to error and expensive. Now is the time to take a long term and strategic approach to GDPR compliance.

Take stock of the data you hold, how you are asking for permission for using that data and how you store that data. Ensure that compliance with GDPR isn’t impacting your bottom line. Check whether your compliance measures are introducing delay, impacting your ability to market your business, creating customer frustration, creating excessive manual processing or unacceptable levels of risk of non-compliance into your business. For example, intrusive privacy policy and cookie notices could be having a negative impact on the digital customer’s experience.

The next 100 days

If there is any ambiguity in your organisation on whether your processes comply, don’t delay another 100 days, take action today. Start with these four action points:

Action 1 – GDPR compliance could save you money
A key element of GDPR revolves around a consumer’s right to request, delete, and manage his or her own data. GDPR is an opportunity to streamline your databases and automate your processes so that data can be easily deleted. GDPR compliance will evolve as your business progresses. Over-cautious controls which felt relevant during the rush before the May 2018 deadline may become less relevant as time goes on. If companies are to address the expectations of customers and regulators alike, it’s time to develop automated, efficient, sustainable solutions.

Action 2 – Test how efficiently your processes work
Role play how your company would react to certain situations. Under GDPR you have 72 hours to declare a data breach. Create a false data breach and ask your teams to walk their way through the processes.

Action 3 – Review and repeat
Create a plan to regularly review, analyse and improve your processes as your business progresses. Other than the fact that GDPR requires a regular review of compliance measures, their effectiveness in the long term will come down to a timely evaluation of what is acceptable in terms of risk management.

Action 4 – Use GDPR to help you prepare for MTD
In 2019, the launch of Making Tax Digital will fundamentally change the accountancy industry. Use the lessons learnt from the implementation of GDPR to help improve how you implement the new processes efficiently. Start early with your planning process. The deadline won’t go away but how you prepare for it will significantly impact your business for the better.